Your medical records, HIPAA, and the illusion of privacy

HIPAA is supposed to protect our private medical records from prying eyes, but there are many exceptions and gaps as Michael P. Kassner found out while doing some research.

With the push to move Electronic Health Records (EHR) "into the cloud," and my recent article about "the cloud" being vulnerable, I was curious as to what extent the Health Insurance Portability and Accountability Act (HIPAA) protects our privacy.

To start, I thought it best to define what is considered sensitive health-care information. According to the Health and Human Services (HHS) Department:

The individual's past, present, or future physical and mental health or condition.

The provision of health care to the individual.

The past, present, or future payment for the provision of health care to the individual.

[A]nd that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social-Security Number).

I see all sorts of scenarios, where well-meaning and not well-meaning individuals would love to get their hands on this kind of information. For example, would not an advertising network, after learning I had an embarrassing itch, be more than willing to send me targeted pharmaceutical ads describing the perfect antidote.

Or, what if an enterprising blackmailer stumbled upon a document stating I failed a drug test? Whether my binge-eating poppy-seed muffins the morning of the test was the reason or not; I'd still have some explaining to do in order to retain my security clearances.

What are the chances?

A colleague told me I was "over the top" paranoid. I didn't think so. But I needed proof to convince him. And I found my proof at the Privacy Rights Clearinghouse (PRC) website. PRC offers:

A referral service for journalists and policymakers who are seeking victims of privacy abuses who have indicated a willingness to talk with the media and/or testify in legislative and regulatory agency hearings.

The non-profit's website has a search feature and I configured a search using the following settings.

Here are the results.

221 breaches in 2012 alone and that was just reported breaches. The search results also provide a detailed listing of each breach. I was surprised, one after another reported stolen medical records as well as other sensitive data like Social Security numbers. Here is one example:

A handheld electronic devices used by XXXXXX pharmacists was discovered missing on October 5. The device was not encrypted and contained patient names, addresses, diagnoses, medications, and health insurance identification numbers. Some health insurance identification numbers were Social Security numbers or contained Social Security numbers.

So there is a problem. Yet, in every one of the 221 cases, there was little if nothing we as individuals could have done to prevent the theft of medical data.

HIPAA is supposed to help

HIPAA was created in 1996. It consists of Title 1, which focuses on preserving health insurance coverage if a person loses their job. Title 2 creates standards for electronic healthcare records and addresses the security and privacy concerns surrounding healthcare data.

This HHS website goes into more detail about each of the rules, methods used by the Office of Civil Rights to enforce the rules, and how individuals can file a complaint.

What HIPAA does not protect

With HIPAA in place there are laws, and a way to enforce them. As to its effectiveness, I'll let you decide. I'm more concerned about what I hinted at in the Takeaway -- medical-record usage that HIPAA seemingly ignores.

As I was scanning through the PRC website, I came across two webpages that delineated what was covered by HIPAA and what was not. First the Medical Privacy FAQ webpage -- PRC wanted to clear the air right away:

Does HIPAA guarantee privacy for my medical information?

No. This is a major misconception about privacy in general. There is no universal privacy rule, even for sensitive medical information. Any privacy you do have depends on a number of things, primarily who has your information.

HIPAA provides some limited privacy protections. But, HIPAA only applies to covered entities, that is health-care providers, health plans, and what HIPAA calls "health-care clearinghouses", that is, those that transmit payment information electronically.

Next PRC introduces a term I was not aware of: Medical Information Bureau (MIB). It appears the MIB:

[G]athers information about individuals' health history and issues reports to insurance companies when you apply for private health, life or disability insurance.

Next question:

Is MIB covered by HIPAA?

No. MIB is a consumer-reporting agency that falls under the Fair Credit Reporting Act (FCRA) and triggers certain consumer rights.

Update: A representative of Medical Information Bureau took issue with the statement by Privacy Rights Clearinghouse, claiming that MIB is required to follow HIPAA:

Under HIPAA, MIB is a business associate of its members engaged in the business of certain types of health insurance and, accordingly, MIB has certain privacy and security obligations and restrictions regarding protected health information. Under the Health Information Technology for Economic and Clinical Health Act, MIB must have administrative, physical, and technical safeguards that meet the requirements of the HIPAA Security Rule, as well as written policies and procedures that meet the requirements of both the Privacy Rule and the Security Rule.

Yes, for the most part. A listing of disclosures of your health information is required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the disclosure requirement.

For example, a listing is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log. Incidental disclosures permitted under HIPAA also do not have to be accounted for.

The Medical Privacy FAQ webpage provides more information than I covered as well as links to sites providing additional help. Next, the most important question of all was on the Medical Records Privacy web page.

What medical information is not covered by HIPAA?

Financial records: Your credit card account and checking transactions are likely to include information about where you go for health care. Insurance applications and medical claims also contain health-related information. So it is possible for such medical information to be shared among affiliates of financial institutions. Such information is not protected by HIPAA.
Education records: Maintained by your child's school contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse. These records are not covered by HIPAA.
Employment records: Employment and medical information may be mingled in situations not covered by HIPAA.

Again, I barely touched all the questions on the web page. If you have any concerns, please visit the website, as the answers are more detailed, and include references to organizations related to each type of record.

Final thoughts

Our sensitive medical records are under attack from two fronts -- outright theft and gaping loopholes. I try to have some kind of solution, temporary or otherwise, but not this time. I'm at a loss. My only hope for this article is that you walk away with a better understanding of the current situation.

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Full Bio

Software for all mobile phone tracking, I see 1TopSpy.com is the most amazing software. It has simple, easy to use is very effective. You just go to the website it is possible to download and own it. www.1TopSpy.com lets try it free again, you give it a try.

The HITECH Act expanded a "person" at a "covered entity" that is subject to the privacy and security rules of HIPAA to include not only providers, but all employees. In addition, the HITECH Act also expanded the definition of a "covered entity" to include any business associates. These are outside firms that work with the medical information safeguarded by a covered entity. Furthermore, should a business associate further subcontract any work, that subcontractor, too, is considered a "covered entity".
HIPAA is not perfect, but it is better protection than that which existed before, which was none. I can tell you from experience that almost every medical provider views the minimal protections that HIPAA gives the consumer as an unnecessary burden on their time and effort. The fact that HIPAA requires a breach to be reported and tracked exposes just how lightly medical professionals take your privacy. It also requires that breaches are reported to professional and state regulatory bodies. The staggering numbers show that HIPAA is working, even if it does give ammunition to alarmist conspiracy nuts who do incomplete research, like Mr. Kassner

As a long time health care administrator and CIO, the opinions and fears of those outside the industry point out my own myopic view of how we protect the privacy of our patients. Thank you for addressing this important topic.
I truly believe that the majority of medical practices -- your local physicians -- are not only well intentioned, but actually do a good job of ensuring the privacy of their patient information. When HIPAA first took effect I thought it was a colossal waste of time because we were already protective of this sensitive information. We've been force-fed HIPAA for so many years, though, that many practices are indeed driven by fear to be protective of the information, often to the chagrin of our patients and staff. Internally, we require strong passwords, lock down computers, encrypt hard drives, restrict and sandbox wireless networks, and so much more. We require photo ID of patients, and have numerous (lawyer approved) forms for information release, family members we can talk to, if we can leave a voice mail, ad nauseum. Beyond that, there are red flag rules that govern how we handle financial transactions. It is a pain for us all, but patients appreciate our being conscientious about their privacy.
I feel the real problem and danger with health data leakage is actually with the "allowed" information release pathways. By allowing an insurance company to pay medical claims on our behalf, we grant them the right to request all the medical information they want--and they do. By filling a prescription and having your insurer pay for it, you've given the pharmacy benefit manager the ability to aggregate your drug use data. Think about that for a moment.
The insurers need this information ostensibly to adjudicate claims. It is folly to think that is all they do with that data. An individual patient's health data isn't all that interesting, but when you have data on thousands and thousands of patients, well that's another story.
Having said all of this, I believe that the move to electronic health records has created a more secure environment in the physician office than the paper world provided. A fundamental difference is that we can restrict who has access, can quantify who has accessed the record, and easily see what was looked at and if it was passed along--something we could never do in the paper world. Unfortunately, this makes any data breach potentially much larger and far more catastrophic.

...for bringing this to light.
If you do a Google search for 'tweets from surgery,' you'll find another disturbing trend.
And no, you're not at all paranoid. I wish more would become aware, and aware to the point of asking a *lot* of questions.
I think we, as a society, have crossed the line with 'technology.' There is a growing, all-pervasive attitude that personal privacy and security are of no concern. A simple thing like checking permissions on an app for unknown(s) having complete control and access of your device seems to be a thing of the past.
And the marketing of 'social presence' as somehow being mandatory starting almost at birth is hard to comprehend.
I don't know the answer...

my wife and I have to file hipaa permission forms every year in Minnesota or if one of us is hospitalized the doctors can't inform the other. She's on my medical insurance but if they call up about something for her I can't discuss it with them.
Yet... every yob in the county health department can get their hands on any of our medical records along with dozens (hundreds?) of others.
"I'm from the government and I'm here to help you." RUN! Run to the nearest exit!

The vast majority of these breaches in fact are not "breaches" but loss of the device - most left on airplanes, taxis, etc. If (and that is a big if) the IT provider is doing their job, the device can be tracked, erased and disabled. Additionally, and most importantly, whole disk encryption needs to be employed making the data completely useless to anyone without the proper credentials and those credentials have to meet certain complexity criteria. Removal of the disk will not provide a workaround.
Also, you failed to mention the financial penalties involved for the companies that fail to secure their data and the incentives on the whistle-blowers to report such instances. These penalties are enormous (often multiples of yearly revenue) and motivate most well-intentioned organizations to protect their data as best they can.

At the hospital system where I work we just started using a pharmacy database that pulls in every prescription the patient has gotten from a major pharmacy in the last six months. It is a requirement of the Joint Commission for Hospital Accreditation that hospitals reconcile all patient meds - home and in the hospital - so this is another tool that we have to use.
Many patients ask how we got the information. The information comes from an insurance database that keeps track of every prescription that your insurance or medicare plan has paid for. The only way out is to opt out at the Pharmacy when it comes to their privacy practices. How many of you have even read your pharmacies privacy practices much less opted out of them reporting your medication history to anyone that asks?

Before this abomination was flushed out of the goobermint comode all over our privacy I warned, and warned and warned and warned everyone who would listen that the above, and worse, would be the INTENDED result.
General rule 1: whatever government says is the goal of a "law" is actually the target. "protecting your privacy" means invading it without recourse. "stopping terrorism" means terrorizing the people with fake bogeymen. (see HL Mencken on that score)
You're not paranoid, Michael, not in the least. Keep it up and keep going, there's bound to be a critical mass someday that'll stand up and put an end to this kind of deceitful meddling.
BTW when this abomination was the topic of the day in DC I had fairly regular access to a lot of congress critters. Almost all of them pretended to understand the dangers, but it became clear after the fact that congress does not work for the people that elect them... not even close.
Government itself and to a lesser degree the insurance companies wanted this "law." Of course the goal was to get their hands on every bit of info about every last living being possible. (of course nowadays they announce they read every email, monitor every call etc and just about nobody gives a crap)
I can't wait until 'we the people' simply refuse to be mindless drones for this magical mind control mechanism we call "the state."

Your privacy will soon be at an even higher risk. With the HITECH act that was part of ARRA, hospitals must meet different levels of meaningful use, or they will be penalized through reduced Medicare and Medicaid payments. As part of that, it was mandated that all covered entities participate in a Health Information Exchange, or HIE. This means that your information, without your permission, will have to be sent to the HIE, and participating organizations will have access to your information at will.
At this point, there's no good way to lock that information down. Luckily, you can't participate in an HIE if there's not one, and there are very few out there right now. Hopefully, they will get the kinks worked out, but don't hold your breath.

At least in hospitals with computer systems and an electronic medical system. However, ALL accesses are tracked and logged. If you're not that person's doctor, PA, nurse, surgeon, or nutritionist, or in finance or quality, you'd better have a good reason for looking at a record, or expect to find another job and pay a very large fine.

Medical Privacy even under HIPAA is far from solid. For years insurance companies and Medicare have requested your medical records to see what the doctor did, was it a covered benefit, and especially is there documentation to support the charge code submitted for payment? Medicare and insurers look for every possible way to down-code, i.e. pay less for the service provided. Doctors and their billing departments do make errors, but insurers and Medicare are fraudulent much more than doctors in trying to pay less than is deserved. But I digress. You (and I) don't know who gets to see your records. If you are referred to a specialist or admitted to the hospital or seen in an emergency room, how many people do you think see or have access to your records? Fortunately people working in Medicare or an insurance company don't have time to read (and copy) your medical record. And lawyers sometimes will try to get records without proper authorization or signed releases. I have had lawyers threaten me if I did not give them ORIGINAL records rather than COPIES.
Privacy is not what you think it is or should be.

I'm the HIPAA security officer for my organization, and the number one thing I tell people is to never give your social security number. You'll be asked for it multiple times, but decline to give it. Also, if you have a PO Box, give that as your address.
All breaches are reportable, but not all incidents are breaches. In January each year, all incidents that are classified as breaches have to be reported to CMS for your state. If a breach is 500 or more records, those have to be reported immediately, and in some cases have to be reported to media outlets in your state, and surrounding states.
The majority of breaches that occur are still related to paper, for example, a recent one was a storage locker that went up for auction due to non-payment. When the buyer opened the boxes, he found that they were full of medical records for an entity that no longer existed. There is nothing in place to take records when a provider retires, dies, or is otherwise no longer practicing. The buyer contacted that states, CMS office, and they had no idea what to do. They told him to shred them, which he did.
The next highest number of breaches occur when devices are lost or stolen. This is easily prevented by encrypting the device, but more importantly, by not allowing data to be stored locally. Workstations, laptops, and mobile devices should be set up so that even if a user puts something on the desktop, it's wiped out when they log out.
After that, cases of identity theft occur when criminals deliberately work to get someone hired at an organization, usually in registration, and systematically steal people's identities.

Just because they Legislate that things are secure doesn't mean that they are.
or perhaps you could read that as
Just because you are Paranoid doesn't mean that there isn't someone out there who wants your Data for their own ends. ;)
As for protecting your own Medical Records personally I don't think that it's possible unless of course you do not involve yourself in Paid Employment, Visit any Medical Type Person and this doesn't just mean Doctors and generally don't use the Internet.
Even then it's not going to stop all your Medical Records being available just what is available and minimize what Data can be mined.
Col

Michael, you should write horror stories, here I am in my world of bliss and almost every article you write scares me half to death. ;)
I just did a your same search but on year 2013 and we already have 5 reported breaches.
Thanks for keeping me and all the readers informed on these various security issues.

Your comments mirror much of the material I gleaned from my interviews. What you are concerned about is also what concerns others. Your example is similar to mine when I tell people whether they use their credit card on the internet or not is immaterial. What matters is they used a credit card, and their information now resides in a database/s.
Also, thank you for taking the time to share your experiences, it is certainly appreciated.

It would definitely be better if health care professionals were unable to get to your medical records without your explicit permission every single time, wouldn't it? What if you are unconscious?
Do you have any concept of how many people MUST touch your records for a normal office visit to take place? Would you prefer that there were NO rules to govern what or how those people handle your information?
The county health department cannot request your records without reason, this is part of the protection that HIPAA provides. Public health concerns ARE a valid reason. How do you think things like TB outbreaks are noted and contained so quickly? Records are pulled for everyone who may have had contact. Have you had your immunizations? Are they up to date? Good, you won't be bothered. If you have not, you will be asked to seek medical attention so, you know, you don't die.
What happens if you are in a car accident in another state? Should health professionals be required to seek your permission before viewing your records and providing treatment?
I have news for you. In most cases, your records simply represent a unit of work for the people involved, including the doctor. The sooner they can be shot of your lab-work and your records, the better.
Your doctor CAN, indeed, discuss your wife's medical conditions, care, and payments with you as long as she does not object. However, your doctor WILL NOT do so over the phone simply because you say you are her husband. Were he to do so, the incident would be seen as a breach and reported.

We can argue your use of "vast majority" but that was not my intent. My goal was to raise people's awareness of what is currently happening.
I also question your saying "penalties motivate most well-intentioned organizations." That does not sound like what a well-intentioned company would base their ethics on. And penalties are just a small part of the entire risk-assessment done by the company. There are several instances where an assessment was done and the penalty was cheaper than incorporating the fix. So guess what they did.

As I see it, if those who need to see my records get to, great. I am concerned about those who aren't supposed to and the "lax care" afforded our records currently makes it easier for them to sneak a peek.

It should be noted that paper records are not part of the security rule, only electronic records. So, the example of the storage locker given above, while considered a privacy breach, has no 'required' security rules associated with it.

The insurance database mentioned is called a pharmacy benefits manager, or PBM. I encourage you to do some research to really get worked up about these nefarious organizations.
These companies, such as ExpressScripts and Medco, are a kind of intermediary in the pharmaceutical transaction process. Even if a patient opts out at the pharmacy level, the PBM is still collecting the data, they just don't get to share it with the pharmacist.

Michael, I am not sure which point you want me to expand upon. I'll start with the last comment about lawyers. Before I retired our small multispecialty clinic used film in our xray studies. The lawyers wanted our original films for court cases, but if those films were damaged, destroyed or lost, we would not have the films for comparison when studies like chest x-rays were repeated. Now with digital recording of x-ray studies the "copies" are the same as the "originals." As to Medicare problems we would have a doctor order a chest xray on somebody scheduled for surgery. The doctor would just put "pre-op" for a history. He/she would not say that the patient had a history of bad lung disease or heart failure. Medicare will deny any chest x-ray done on a person before surgery. Many people do not need a chest x-ray prior to surgery, but Medicare does not trust the ordering physician to have the knowledge or the good sense to decide who needs a chest exam before surgery. Most of the time I would then review the medical record and find out what was wrong with the patient and why the chest x-ray was ordered. Then we would resubmit the bill to Medicare and almost always get paid. I did this eb=ven though I knew by the time I saw the record, added the additional history and then we re-billed Medicare, there was no profit. But I refused to give my services away for free. Incidentally, by now I have seen the patient's record, my clerk has and probably the person in billing has seen the record. Privacy? Not as much as you might think.

[b]The Road to Hell is Paved with Good Intentions.[/b]
The idea of having all your Medical Records in one location so that in an emergency they are accessible for your treatment is a great idea and will mean things like you not being administered medications you are allergic to.
Of course the down side is that when things break down who ever gets to look has complete access to the same records. With Computer Storage it's easier to get lots of different peoples Medical Records or any other Records for that matter. In the past when everything was on Paper it took lots of Paper to get 1 persons Records and quite often involved several Semi's of Paper to get a few thousand peoples records.
Today those several semi's can fit on a CD or something even smaller and be invisible when it's smuggled out of the building. ;)
But this is nothing new just because a Government says that things should be Secure in no way implies that they are, and that a individual will not circumvent the poor in place security. It's exactly what Bradley Manning is accused of doing and in that case it's a perfect example of [b]Stupidity[/b] taking control of the system and no safe guards at all being put in place. The people working there where told not to do something and then where trusted not to do it. :^0
Only a complete Idiot would believe that that was going to happen, even the Bureaucrats know that people are not trustworthy and place ways to at the very least slow the Naughty People down a little bit.
But as they always correctly say any [b]Security is only as Good as the Weakest Link and today that Weakest Link is very weak to Nonexistent.[/b] Way to many people will post things like that willingly on FB without a second thought till it comes back to bite then on the A$$. Of course with that belief with their own data they don't think twice about other peoples data either.
But then again maybe I'm just paranoid. :^0
[i]edited to add[/i] Incidentally if you think things are bad now just wait till your Genetic Data is included in your Medical Records when that happens and it will very soon things are going to get a [b]Whole Lot Worse.[/b]
Currently we have no idea of what new medical developments will be introduced in the next 10 years let alone any longer so the detail involved will get a lot more detailed and much more specific to just you [i]well at the very least the person who's Medical Records you have access to.[/i]
Col [/maniacal laughter]

Do you honestly believe that most people when asked for this data will not simply say yes?
Currently we don't have 1 overriding test where a simple sample can be taken and analyzed cheaply. It's coming so that Medical professionals will be able to treat the person for things that they don't as yet have but are likely to get. It's called Preventative Medicine. ;)
There are also many other things as yet not perfected that are going to very quickly outstrip any current legislation and as an example I call your attention to the Genetic Sample attached to all Medical Records in the X Files.
While I very much doubt that we'll have that type of thing I do believe that we will have something similar without the need to store Samples in everyones Medical Files.
But by the same token I don't see why it will be necessary to keep Medical Records and Financial Information Separate. Some Bright Spark will decide that some sort of Centralized Data Base covering everything about everyone is a great idea and start the ball rolling to get it.
I'm betting that they'll even roll several Organizations with their Own Legislation into one and give it a Fancy New Name with lots of Lovely Sounding Legislation which has even less Protective Powers than are currently available.
Col

The PRC website mentioned this about genetic data:
"A 2008 federal law, the Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and most health insurance plans from denying you employment or health benefits based on genetic information. Further, GINA says that neither your employer nor your health insurer can request, require or purchase genetic information about you.
For tips on how to protect the privacy of your genetic information, see the website for the non-profit organization Council for Responsible Genetics (CRG): www.councilforresponsiblegenetics.org/geneticprivacy/tips.html."